The Security Accounts Manager The Security Accounts Manager , or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config . Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables . The hash is split into two 7-byte pieces, which allows attacks to be performed against each piece at the same time. This also means that if the password is shorter than 7 characters, the last half of the hash will be a constant value. The password is converted to uppercase before hashing, which reduces the keyspace. The LM hash is computed by padding or truncating the password to 14 characters, splitting it into two halves, and then usin...
Comments
I am trying to analyze a record of a simple AES decryption app using PANDA with the VM you provided.
I have already created the replay using the tutorial for SSL master key. I have three questions:
1) I see that there is a Keyfind plugin. Looking at the source, it is written for the SSL key. Is there one for AES keys? Similar to aeskeyfind at (https://citp.princeton.edu/research/memory/code/)?
2) I cannot load some plugins. Notably anything that is dependent on "panda_callstack_instr" like keyfind. But I can load "panda_taint".
I get this error.
loading /home/panda/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so
Failed to load /home/panda/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so: libdistorm3.so: cannot open shared object file: No such file or directory
FAIL: Unable to load plugin `/home/panda/panda/qemu/x86_64-softmmu/panda_plugins/panda_callstack_instr.so'
I re-compiled and re-installed distorm to be sure. But the error still occurs.
3. I see there is a memorydump plugin. Is there a way to make several memory dumps from the replay at different times?
Thanks